Contagious Interview (DPRK) hides an OTTERCOOKIE-aligned payload in SVG-comment steganography inside fake coding-interview repos
Elastic Security Labs disclosed a new instance of the long-running DPRK-aligned Contagious Interview campaign (internally tracked REF9403) after the operators targeted Elastic's own community Slack workspace with a fake job posting and a "coding challenge" project (Elastic Security Labs, 2026-07-18). The lure is a fully functional take-home project — a Next.js e-commerce template copied from a real open-source repository — that a candidate is asked to run. The novelty is where the payload hides: it is "split into Base64 fragments inside HTML comments across every SVG flag image inside an assets directory" (Elastic Security Labs, 2026-07-18). The files look like ordinary country-flag images; a JavaScript loader in the repo reassembles the comment fragments from every flag in alphabetical order, decodes them with a custom Base64 routine, and runs the result with eval() — deliberately avoiding atob() and Buffer.from so simple content scanners do not flag the decode. Because the project's package.json wires the loader into the server entry point, the payload runs on every npm run dev / npm start, and the trojanized repositories "have zero detections and are not flagged by any AV vendors" (Elastic Security Labs, 2026-07-18).
The payload is a four-stage chain Elastic assesses as aligned with OTTERCOOKIE (first documented by NTT Security in December 2024, overlapping the BEAVERTAIL lineage). Stage one enumerates browser profiles across Windows, macOS and Linux and steals saved credentials, autofill data and cryptocurrency-wallet-extension stores, masquerading its process as a benign npm-cache process. Stage two recursively discovers and exfiltrates sensitive files — environment files, private keys, keychains, shell histories, documents and source code. Stage three opens a persistent Socket.IO command-and-control channel giving the operator interactive shell execution, with sandbox/VM detection used to tag rather than halt on analysis machines. Stage four (Windows) drops further second-stage binaries disguised as text files and adds a clipboard stealer polling every 500 ms.
The payloads are split into Base64 fragments inside HTML comments across every SVG flag image inside an assets directory.
These trojanized repositories at the time of writing have zero detections and are not flagged by any AV vendors
ATT&CK mapping
7 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Execution TA0002
T1204.002User Execution: Malicious File
An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.
Stealth TA0005
T1027.003Obfuscated Files or Information: Steganography
Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.
Credential Access TA0006
T1552.001Unsecured Credentials: Credentials In Files
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
T1555.003Credentials from Password Stores: Credentials from Web Browsers
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.
Discovery TA0007
T1083File and Directory Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Collection TA0009
T1115Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Command and Control TA0011
T1071.001Application Layer Protocol: Web Protocols
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Sources
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.